Saved states don't work

[automatedbugreportingfacility]

Platform / OS / Hardware: RetroArch / Android / Samsung Galaxy Note 10+

Flycast version: 93f4632

Hardware: Exynos 9825

Description of the Issue

Not sure if this is a regression from aff64d4, but I'm now getting issues where saved states fail to work. I'm not sure if you can debug the issue just looking at save states, but here they are anyway: states.zip

.state9 displays nothing when loaded, just plays some sound effects in a loop.
When I load .state10 in Debug+ASAN, it crashes immediately with:

04-12 22:59:26.825 28890 28890 I wrap.sh : =================================================================
04-12 22:59:26.826 28890 28890 I wrap.sh : �[1m�[31m==28898==ERROR: AddressSanitizer: global-buffer-overflow on address 0x006f3f46ed54 at pc 0x006f40279c58 bp 0x006f5ddfa990 sp 0x006f5ddfa988
04-12 22:59:26.826 28890 28890 I wrap.sh : �[1m�[0m�[1m�[34mREAD of size 4 at 0x006f3f46ed54 thread T87 (Flycast-emu)�[1m�[0m
04-12 22:59:26.854 28890 28890 I wrap.sh :     #0 ta_handle_cmd(unsigned int) in J:\flycast\core\hw\pvr/ta.cpp:231:25
04-12 22:59:26.854 28890 28890 I wrap.sh :     #1 ta_thd_data32_i(simd256_t const*) in J:\flycast\core\hw\pvr/ta.cpp:565:3
04-12 22:59:26.854 28890 28890 I wrap.sh :     #2 ta_vtx_data(SQBuffer const*, unsigned int) in J:\flycast\core\hw\pvr/ta.cpp:582:3
04-12 22:59:26.854 28890 28890 I wrap.sh :     #3 pvr_do_sort_dma() in J:\flycast\core\hw\pvr/pvr_sb_regs.cpp:96:3
04-12 22:59:26.854 28890 28890 I wrap.sh :     #4 RegWrite_SB_SDST(unsigned int, unsigned int) in J:\flycast\core\hw\pvr/pvr_sb_regs.cpp:110:3
04-12 22:59:26.854 28890 28890 I wrap.sh :     #5 void HwRegister::write<unsigned int>(unsigned int, unsigned int) in J:\flycast\core\hw/hwreg.h:64:4
04-12 22:59:26.854 28890 28890 I wrap.sh :     #6 void RegisterBank<&sb_regs.<unsigned int at offset 0>, 1344ul, 65535u, 6252544u>::write<unsigned int>(unsigned int, unsigned int) in J:\flycast\core\hw/hwreg.h:279:21
04-12 22:59:26.854 28890 28890 I wrap.sh :     #7 sb_WriteMem(unsigned int, unsigned int) in J:\flycast\core\hw\holly/sb.cpp:196:12
04-12 22:59:26.854 28890 28890 I wrap.sh :     #8 void WriteMem_area0<unsigned int, 0u, false>(unsigned int, unsigned int) in J:\flycast\core\hw\holly/sb_mem.cpp:199:4
04-12 22:59:26.855 28890 28890 I wrap.sh :     #9 void addrspace::writet<unsigned int>(unsigned int, unsigned int) in J:\flycast\core\hw\mem/addrspace.cpp:176:4
04-12 22:59:26.855 28890 28890 I wrap.sh :     #10 addrspace::write32(unsigned int, unsigned int) in J:\flycast\core\hw\mem/addrspace.cpp:204:47
04-12 22:59:26.855 28890 28890 I wrap.sh :
04-12 22:59:26.855 28890 28890 I wrap.sh : �[1m�[32m0x006f3f46ed54 is located 44 bytes to the left of global variable '<string literal>' defined in 'J:\flycast\core\hw\pvr\ta.cpp:256:4' (0x6f3f46ed80) of size 35
04-12 22:59:26.855 28890 28890 I wrap.sh : �[1m�[0m  '<string literal>' is ascii string 'Fatal error : %s
04-12 22:59:26.855 28890 28890 I wrap.sh :  in %s -> %s : %d'
04-12 22:59:26.855 28890 28890 I wrap.sh : �[1m�[32m0x006f3f46ed54 is located 0 bytes to the right of global variable 'ListEndInterrupt' defined in 'J:\flycast\core\hw\pvr\ta.cpp:198:31' (0x6f3f46ed40) of size 20
04-12 22:59:26.855 28890 28890 I wrap.sh : �[1m�[0mAddressSanitizer:DEADLYSIGNAL
04-12 22:59:26.855 28890 28890 I wrap.sh : AddressSanitizer: nested bug in the same thread, aborting.
04-12 22:59:27.049 28890 28890 I wrap.sh : wrap.sh terminated by exit(1)

It looks like the save states might be corrupted somehow? Happy to help with capturing logs and debugging of course.

[automatedbugreportingfacility]

FWIW, I checked with the following diagnostic patch applied:

diff --git a/core/serialize.h b/core/serialize.h
index 7a6cb2895..9c715a22b 100644
--- a/core/serialize.h
+++ b/core/serialize.h
@@ -173,6 +173,7 @@ public:
 	}
 	bool dryrun() const { return data == nullptr; }
 
+	inline static bool isSerializing = false;
 private:
 	void doSerialize(const void *src, size_t size)
 	{
diff --git a/shell/libretro/libretro.cpp b/shell/libretro/libretro.cpp
index a4bf1b0ab..efa41d52a 100644
--- a/shell/libretro/libretro.cpp
+++ b/shell/libretro/libretro.cpp
@@ -1176,10 +1176,14 @@ void retro_run()
 		glsm_ctl(GLSM_CTL_STATE_BIND, nullptr);
 #endif
 
-	if (!emu.running())
+	if (!emu.running()) {
 		// It could be the first time retro_run() is called,
 		// or it was paused in retro_serialize_size() and retro_serialize() was never called
+		if (Serializer::isSerializing) {
+			*((unsigned char*)(0x500)) = 0x0;
+		}
 		emu.start();
+	}
 
 	poll_cb();
 	os_UpdateInputState();
@@ -2326,6 +2330,7 @@ size_t retro_serialize_size()
 		return 0;
 	}
 
+	Serializer::isSerializing = true;
 	Serializer ser;
 	dc_serialize(ser);
 	if (!first_run && ser.size() == 0)
@@ -2348,6 +2353,7 @@ bool retro_serialize(void *data, size_t size)
 
 	Serializer ser(data, size);
 	dc_serialize(ser);
+	Serializer::isSerializing = false;
 	if (!first_run)
 		emu.start();

It crashed trying to write 0x500 upon the first attempt to save a state, indicating that retro_run() can be called before retro_serialize() is done.

[flyinghead]

I checked the savestates and loading them in standalone causes the same issues as in RA. As far as I can tell the savestates themselves are correct, and the system isn't corrupted after loading them. But some data is probably missing to restore a working state.

[flyinghead]

I reverted my last "fix" because it was breaking many things.
I don't have any solution to this issue right now because the libretro documentation says that "retro_serialize_size() returned values should never decrease", which means it has to be a maximum value.
However returning 1GB isn't going to make the front-end happy...

[automatedbugreportingfacility]

I reverted my last "fix" because it was breaking many things.

Just to be clear, do you mean that serialization will fail to work correctly if the emu is stopped? That particular diagnostic crash can be probably fixed by querying Serializer::isSerializing (be it a boolean or a decremented integer to guard against the case where retro_serialize_size() is called but retro_serialize() isn't, if it can ever happen) in retro_run().

retro_serialize_size() returned values should never decrease

Yeah, I stumbled upon this information in the docs, it seems that this requirement is overly optimistic. Also: "the returned size is never allowed to be larger than a previous returned value, to ensure that the frontend can allocate a save state buffer once" -- then why even query retro_serialize_size() each time a state is saved?

According to https://docs.libretro.com/development/cores/developing-cores/#retro_serialize_size-retro_serialize-and-retro_unserialize, "This certainty is fundamental to the rewind implementation", so maybe you can get away with breaking that requirement as long as rewind isn't used. Also, it says that "This requirement only holds between calls to retro_load_game() and retro_unload_game()", so maybe a workaround would be to allow the save state size to be specified as an advanced option, i.e. a user can set a static size of 10 MB or whatever, and then be warned by the core if it's ever exceeded. The user would then increase the size by whatever, restart the core (retro_unload_game(); retro_load_game()), load the saved state, and could keep going on. That'd be better than the current state, which is very broken and crash-prone :(

[jlansing]

I have been having issues with unplayable save states using RA + Flycast Core on Mac since I got it setup in February (2025). I finally had some time to investigate and I have it tracked down to this same issue. Happy to open a new issue if it warrants it, but I think this is a significant issue with the current implementation. My findings below...

I found the same docs y'all mentioned above about the importance of retro_serialize_size() never increasing, and the current implementation all but guarantees that will happen occasionally, since the current implementation is actually serializing the current snapshot just to generate the size. This seems risky on its own as the state may already change size by the time retro_serialize() is called by the front end.

I have seen this issue with both Phantasy Star Online and Skies of Arcadia, and in adding some debug logs the order of events to trigger it is something like this (numbers made up for illustration):

1. First save: retro_serialize_size() returns 23MB
2. RetroArch allocates: 23MB buffer for all future operations during game life span
3. Later save: Emulator needs 23.1MB, but retro_serialize_size() still gets called
4. RetroArch ignores the new size (per spec: "cannot ever increase")
5. RetroArch passes: A 23MB buffer to retro_serialize()
6. Flycast tries to write: 23.1MB of data into 23MB buffer
7. Result: Buffer overflow - only first 23MB gets written
8. Corrupt save state

So I think the biggest thing as you said is retro_serialize_size() should likely be a static upper bound that does not require an inline snapshot serialization (FWIW pcsx_rearmed which I have used a ton and never had issues with does just this: https://github.com/notaz/pcsx_rearmed/blob/913629046745fb5f5ce548fcb248f02cf5b9c079/frontend/libretro.c#L1163).

Additionally according to the docs it sounds like it's best practice to fill any unused data in the buffer with 0s. Here's an example I added locally that seems to work.

bool retro_serialize(void *data, size_t size)
{
	NOTICE_LOG(SAVESTATE, "retro_serialize %d bytes buffer, actual data size will be smaller", (int)size);
	std::lock_guard<std::mutex> lock(mtx_serialization);

	if (!first_run)
		try
		{
			emu.stop();
		}
		catch (const FlycastException &e)
		{
			ERROR_LOG(COMMON, "%s", e.what());
			return false;
		}

	Serializer ser(data, size);
	dc_serialize(ser);

	NOTICE_LOG(SAVESTATE, "Serialized %d bytes (buffer was %d bytes)", (int)ser.size(), (int)size);

	// Zero out any unused portion of the buffer for consistency
	if (ser.size() < size && data != nullptr)
	{
		memset((u8 *)data + ser.size(), 0, size - ser.size());
	}

	if (!first_run)
		emu.start();

	return true;
}

Some additional data:

1. I did a DEBUG build of the core locally on Mac and ran it in RA... this did NOT seem to trigger the same issue, and every save state generated seems to have the same size.
2. I also tested on Windows using just latest RA and Flycast core with the same Skies of Arcadia disk image and save state sequence and it too works just fine.

My thinking here is there is something going on with the memory footprint of one (or more) of the subsystems that tend to be static and thus don't cause any issues, but perhaps this Android build and the latest Mac build have some optimizations that expose the nature and risk of having variable serialization sizes.

I agree you don't just want to go to 1 GB, but maybe there is a more reasonable upper bound (setting mine to 42 MB resolved all of my issues), or maybe there is a way to have each subsystem have a more static allocation.

I am happy to help put together a PR or test changes or anything, but I am new to this so just let me know how I can be most helpful in resolving this issue. Thanks!

[jlansing]

I have a couple PRs to propose to address this. The first I just created and is just an underlying improvement to detect and communicate this situation that the front end/core are unable to successfully create a save state.

The second PR I think will be more controversial, but it will add new core options to either dynamically (legacy) or statically size the save states. When using static sizing, there's an additional core option to specify how many MB you want to use for your save states. Definitely not user friendly, but for those of us running into this issue would provide a reasonable fix. I'll try to clean this up and post it for discussion in the next week or two.

A better approach would be to see if we can properly calculate upper bound on memory for all of the subsystems but I don't know how feasible that is.

[flyinghead]

I really don't like the idea of pushing this to users. How would they know how many MB are needed?
There's a minimum savestate size for each emulated system, and we can add like 10%, 20% or whatever it takes to cover 99.9% of cases.

[jlansing]

Sounds good @flyinghead I am very onboard with that approach and not pushing this to the user. It also seems to be what other cores do (just have a hard coded value that covers most cases). I am happy to take on that work but could use some guidance on determining the minimum size of each system so that we reach a reasonable number that won't eat up too much space. Just load up a few games and trace the serialization logic to get size of each on startup? Or did you have something else in mind?

[flyinghead]

Yes, try a game for each subsystem and trace the savestate size.
On Dreamcast, set 4 controllers each with 2 VMUs.
For arcade systems, the inputs and connected hardware are static but depend on each game so it's a bit tricky.
Now the bulk of savestates is RAM (main RAM, VRAM and audio RAM). The rest is almost negligible.
Here are the RAM sizes for the various systems (RAM, VRAM, audio RAM, elan RAM in MB):
dreamcast: 16+8+2
naomi: 32+16+8
naomi2: 32+16+8+32
atomiswave: 16+8+2
systemsp: 32+16+8
(this last one is a bit special since the cartridge RAM may be serialized too and it's huge. I'll give you some numbers)

[flyinghead]

FYI standalone Flycast uses fixed-size savestates when running in GGPO network rollback mode. In this mode RAM regions are saved separately and only the extra stuff (registers, hardware, etc.) is saved with the serialization framework. In this case, Flycast allocates 10 MB for dreamcast/atomiswave and 20 MB for naomi/naomi2 (systemsp isn't supported).

GGPO saves state at every frame, typically when there's no rendering in progress, so there's less chance to have additional in-flight render data but it should be more than enough.